From 2d6917178df81810f1ff427ec6d9c132da20b33f Mon Sep 17 00:00:00 2001
From: Chloe Deguzman <chloe.deguzman@processmaker.com>
Date: Wed, 2 Mar 2016 15:51:51 +0000
Subject: [PATCH] Cleaned up some issues with xss on error pages.

---
 framework/src/templates/Exception.phtml       |  4 ++--
 workflow/engine/controllers/adminProxy.php    |  2 +-
 .../methods/cases/casesStreamingFile.php      |  4 ++--
 .../engine/methods/cases/cases_Redirect.php   |  2 +-
 .../engine/skinEngine/neoclassic/error404.php | 21 ++++++++++++++++++-
 5 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/framework/src/templates/Exception.phtml b/framework/src/templates/Exception.phtml
index 0d821fb2f..af2526926 100644
--- a/framework/src/templates/Exception.phtml
+++ b/framework/src/templates/Exception.phtml
@@ -70,7 +70,7 @@
     <div class="block_exception clear_fix">
         <h2>
             <abbr title="RuntimeException">RuntimeException</abbr>:
-            <pre><?php echo $message?></pre>
+            <pre><?php echo htmlspecialchars($message)?></pre>
         </h2>
     </div>
     <div class="block">
@@ -88,4 +88,4 @@
     </div>
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/workflow/engine/controllers/adminProxy.php b/workflow/engine/controllers/adminProxy.php
index 467cb39d0..f17372c0c 100644
--- a/workflow/engine/controllers/adminProxy.php
+++ b/workflow/engine/controllers/adminProxy.php
@@ -313,7 +313,7 @@ class adminProxy extends HttpProxyController
     public function testingOption($params)
     {
         $data['success'] = true;
-        $data['optionAuthS'] = $params->optionAuthS;
+        $data['optionAuthS'] = htmlspecialchars($params->optionAuthS;
         return $data;
 
     }
diff --git a/workflow/engine/methods/cases/casesStreamingFile.php b/workflow/engine/methods/cases/casesStreamingFile.php
index 77116077d..f4def7ef6 100644
--- a/workflow/engine/methods/cases/casesStreamingFile.php
+++ b/workflow/engine/methods/cases/casesStreamingFile.php
@@ -6,7 +6,7 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
 if ($actionAjax == "streaming") {
 
     $app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null;
-    $inp_doc_uid = isset( $_REQUEST['d'] ) ? $_REQUEST['d'] : null;
+    $inp_doc_uid = isset( $_REQUEST['d'] ) ? htmlspecialchars($_REQUEST['d']) : null;
     $oAppDocument = new \AppDocument();
 
     if (! isset( $fileData['version'] )) {
@@ -52,7 +52,7 @@ if ($actionAjax == "streaming") {
 
 if ($actionAjax == "fileMobile") {
     $app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null;
-    $inp_doc_uid = isset( $_REQUEST['d'] ) ? $_REQUEST['d'] : null;
+    $inp_doc_uid = isset( $_REQUEST['d'] ) ? htmlspecialchars($_REQUEST['d']) : null;
 
     $structure = file_get_contents(PATH_HTML ."/mobile/index.json");
     $structure = json_decode($structure);
diff --git a/workflow/engine/methods/cases/cases_Redirect.php b/workflow/engine/methods/cases/cases_Redirect.php
index a6cb95f65..3ab1bd579 100755
--- a/workflow/engine/methods/cases/cases_Redirect.php
+++ b/workflow/engine/methods/cases/cases_Redirect.php
@@ -32,7 +32,7 @@ $aFields = $oAppDocument->load( $_GET['a'] );
 require_once 'classes/model/OutputDocument.php';
 $oOutputDocument = new OutputDocument();
 $aOD = $oOutputDocument->load( $aFields['DOC_UID'] );
-$a = $_GET['a'];
+$a = htmlspecialchars($_GET['a']);
 $ext = strtolower( $aOD['OUT_DOC_GENERATE'] );
 
 G::header( 'location: cases_ShowOutputDocument?a=' . $a . '&ext=' . $ext );
diff --git a/workflow/engine/skinEngine/neoclassic/error404.php b/workflow/engine/skinEngine/neoclassic/error404.php
index 7ba1f4082..83e1555ef 100644
--- a/workflow/engine/skinEngine/neoclassic/error404.php
+++ b/workflow/engine/skinEngine/neoclassic/error404.php
@@ -9,23 +9,42 @@ $urlLogin = $http . "://" . $host . "/sys/en/neoclassic/login/login";
 $urlHome =  $urlLogin;
 
 if (isset($_GET["url"]) && $_GET["url"] != "") {
+
     $url = urldecode($_GET["url"]);
     $url = explode("/", $url);
 
     $sysSys = "";
     $sysLang = "";
     $sysSkin = "";
-
+    
     if (isset($url[1]) && preg_match("/^sys(.+)$/", $url[1], $match)) {
         $sysSys = $match[1];
+
+        // Check if sys path exists
+        $checkDir = PATH_DATA."sites/".$sysSys;
+        if(!is_dir($checkDir)) { 
+            $sysSys = '';
+        }
     }
 
+    
     if (isset($url[2])) {
         $sysLang = $url[2];
+        
+        if($sysLang != 'en') { 
+            var_dump($sysLang);
+        }
     }
 
     if (isset($url[3])) {
         $sysSkin = $url[3];
+        
+        // Check if sys path exists
+        $checkDir = PATH_SKIN_ENGINE.$sysSkin;
+        if(!is_dir($checkDir)) { 
+            $sysSkin = '';
+        }
+
     }
 
     if ($sysSys != "" && $sysLang != "" && $sysSkin != "") {